If your Flex instance is running Flex UI 2.7.x or later, migrate your SSO connection to a new solution that offers enhanced security using OAuth 2.0.
All Flex customers using the legacy SSO configuration need to migrate to the enhanced SSO configuration prior to June 2025.
Migrating to enhanced SSO configuration requires changes in two places: Flex Console and your IdP. When choosing a setup type, consider whether the Flex administrator has access to make changes in the IdP. If you need to collaborate with an IdP administrator on the migration, this may influence which setup method works best for your organization.
With this option, the IdP administrator will update the Entity ID and ACS URL for the existing IdP application used for Flex.
Benefits | Considerations | Use this option if |
---|---|---|
|
|
|
With this option, the IdP administrator will set up a new IdP application to use for Flex.
Benefits | Considerations | Use this option if |
---|---|---|
|
|
|
Migrating has three or four steps, depending on your setup type:
Enter identity provider data.
Note This page only appears if you create a new SSO connection. If you modify your existing connection, Flex uses the IdP data from your legacy connection, so you don't need to enter this information again.
If you're a self-hosted Flex customer, you have to do an additional step before validating your new SSO connection. See Self-hosted Flex: additional SSO configuration for instructions.
To start your migration:
Click Start setup.
The Single sign-on set up workflow appears.
In this step, the IdP administrator sets the Entity ID and ACS URL values for the new connection in the IdP. However, the IdP may not use the same labels to identify these values.
Check the following table to see what field labels your IdP uses. If you need help locating the fields, click the IdP name in the table to go to the full setup instructions. There, you can find the steps to navigate to the appropriate page in your IdP.
IdP | IdP page | Entity ID label | ACS URL label |
---|---|---|---|
Google SSO | Service provider details | Entity ID | ACS URL |
Okta IdP | Create SAML integration | Audience URI (SP Entity ID) | Single sign on URL |
Salesforce SSO | Web App settings | Entity ID | ACS URL |
Azure AD | SAML > General SAML settings | Identifier (Entity ID) | Reply URL (Assertion Consumer Service URL) |
Auth0 IDP | SAML2 Web App > Settings | audience setting | Application Callback URL |
To update your IdP:
This page only appears in the workflow for creating a new SSO connection.
If you're a self-hosted Flex customer, you must provide a value for the Trusted domains field and the Domain redirect URL field, in addition to the fields marked as required on the page. See How do I log in to a self-hosted domain? to make sure your domain URL conforms to one of the allowed patterns.
If you were previously logged in to Flex, you'll need a new login to validate your new SSO connection. You can either log out of Flex and log back in, or you can log in using a private or incognito browser.
When prompted, enter the credentials of a user who has access to the application in your IdP used for Flex.
Flex loads when your login is successful.
This returns you to the Single sign-on page:
Flex saves your legacy connection details for 30 days after completing the migration. If you experience login issues during this time, you can switch back while you troubleshoot your SSO connection.
If you modified your existing connection, you have only one SSO connection defined. To switch to your legacy connection, have the IdP administrator revert the Entity ID and ACS URL values in your IdP to those of your previous connection.
On the Single sign-on page, under New connection saved, click switch back to legacy connection.
The Revert SSO connection page appears.
When you want to return to using your new connection, complete the migration steps again.
If you created a new SSO connection, both your OAuth 2.0 connection and your legacy connection are saved. Switch back to your previous connection using the link on the Single sign-on page.
The link on the Single sign-on page now reads switch back to OAuth 2.0 connection. Use this link you want to return to using your new connection.